GeeCON Prague 2014*
The moose likes Web Services and the fly likes REST security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Web Services
Bookmark "REST security" Watch "REST security" New topic
Author

REST security

Sunny Bhandari
Ranch Hand

Joined: Dec 06, 2010
Posts: 448

Hi,

I am wondering as to how the security features are added to the REST based applications like anyone can invoke the URL for GET,POST,DELETE and PUT in order to invoke my RESTful webservice with spam data.

What are the common checks done by RESTful servers?

Any website that you know of which explains this in good manner will be helpful.


Java Experience
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61309
    
  66

For my REST services I require authentication on every request (using HTTP basic authentication). And of course, running under SSL.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Sunny Bhandari
Ranch Hand

Joined: Dec 06, 2010
Posts: 448

Encryption and SSL is fine. I understand that the message can't be seen without decrypting it.

But how is authentication implemnted. I mean in typical web applications, we have a text field for user name and password but how do you manage that in REST webservice.

How can one invoke your webservice, I mean how does the User Interface looks like? Do they enter the URL directly inside the address bar of browser to invoke your web service or they have to enter URL in some text field on a web page designed by you..

Like I won't want that anybody can fire a GET request on my webservice by simply entering a URL in browser. How will I ask him for username and password?

Hope you got my question..
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61309
    
  66

Sunny Bhandari wrote:But how is authentication implemnted. I mean in typical web applications, we have a text field for user name and password but how do you manage that in REST webservice.

I already mentioned that I employ HTTP Basic Authentication

How can one invoke your webservice, I mean how does the User Interface looks like? Do they enter the URL directly inside the address bar of browser to invoke your web service or they have to enter URL in some text field on a web page designed by you..

There is no UI. Clients are free to create requests into the web service any way that they want.

The browser is of no use as it can only issue GETs via the address bar.

Like I won't want that anybody can fire a GET request on my webservice by simply entering a URL in browser. How will I ask him for username and password?

See link above.
Sunny Bhandari
Ranch Hand

Joined: Dec 06, 2010
Posts: 448

I think I am not clear here.

Ok, I will rephrase my question.

A username and password can be asked in a number of way even while using basic HTTP authentication, is it a webpage with username and password as text fields or what?

Is it the same as any other sign in page like this?

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61309
    
  66

There is no page. Once again: there is no page.

A web service doesn't have a UI. It just responds to requests sent into it -- regardless of how those requests are initiated.

The article I linked to describes how the username and password are passed, encoded in the (badly named) Authorization header of the request. For example:


It is the responsibility of the client to set this header appropriately. How the client gathers the username and password is entirely up to the client. If the client is a web app, it might prompt the user as per usual in web apps. if it's code, it might just get it from properties files. One of the clients using one of my services is an iPhone app. I have no idea how it gathers the username and password, and from the point of view of the REST web service, it doesn't matter!
Sunny Bhandari
Ranch Hand

Joined: Dec 06, 2010
Posts: 448

I think I got it. Thanks for your time. Will try to implement one myself for more clarity.
 
GeeCON Prague 2014
 
subject: REST security